From 41c122acdda2db1cae9e0de667202153ee81362c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonathan=20C=C3=A1rdenas?=
 <JonathanCrd@users.noreply.github.com>
Date: Thu, 13 Feb 2025 11:58:18 -0800
Subject: [PATCH] [Key Vault] Add warnings on RSA1_5 and RSA_OAEP encryption
 algorithms (#48005)

* Add warnings on RSA1_5 and RSA_OAEP algorithms

* Replace REST constants with C# names

* missing '/' in XML see tag

* Chaning missing REST name to property name

* Update samples to use RsaOaep256

* Update code snippets

* Add Obsolete attribute

* Update API

* Revert "Update API"

This reverts commit ae38e8071549d7ac44ce784f196f01148cea4b1e.

* Revert "Add Obsolete attribute"

This reverts commit 88e2a7ca86c187bdcb0ab8ef5209dec87169f2cc.
---
 .../Azure.Security.KeyVault.Keys/README.md         |  4 ++--
 .../samples/Sample4_EncryptDecrypt.md              |  4 ++--
 .../src/Cryptography/EncryptionAlgorithm.cs        | 14 ++++++++++++++
 .../tests/samples/Sample4_EncryptDecrypt.cs        |  4 ++--
 .../tests/samples/Sample4_EncryptDecryptAsync.cs   |  4 ++--
 .../tests/samples/SampleSnippets.cs                |  4 ++--
 6 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/README.md b/sdk/keyvault/Azure.Security.KeyVault.Keys/README.md
index 5b34f09b7fe5..2303a265c830 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Keys/README.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Keys/README.md
@@ -283,10 +283,10 @@ var cryptoClient = client.GetCryptographyClient(key.Name, key.Properties.Version
 byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
 
 // encrypt the data using the algorithm RSAOAEP
-EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
+EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext);
 
 // decrypt the encrypted data.
-DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
 ```
 
 ### Create a key asynchronously
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/samples/Sample4_EncryptDecrypt.md b/sdk/keyvault/Azure.Security.KeyVault.Keys/samples/Sample4_EncryptDecrypt.md
index ab17d1c4e20f..629c5c92d42b 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Keys/samples/Sample4_EncryptDecrypt.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Keys/samples/Sample4_EncryptDecrypt.md
@@ -45,7 +45,7 @@ Note that RSA encryption algorithms have no chaining so they can only encrypt a
 
 ```C# Snippet:KeysSample4EncryptKey
 byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
-EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
+EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext);
 Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm}, with key {encryptResult.KeyId}. The resulting encrypted data is {Convert.ToBase64String(encryptResult.Ciphertext)}");
 ```
 
@@ -54,7 +54,7 @@ Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm},
 Now decrypt the encrypted data. Note that the same algorithm must always be used for both encrypt and decrypt.
 
 ```C# Snippet:KeysSample4DecryptKey
-DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
 Debug.WriteLine($"Decrypted data using the algorithm {decryptResult.Algorithm}, with key {decryptResult.KeyId}. The resulting decrypted data is {Encoding.UTF8.GetString(decryptResult.Plaintext)}");
 ```
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/EncryptionAlgorithm.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/EncryptionAlgorithm.cs
index 1a49af3cbf3a..9cc4bfdaf0cf 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/EncryptionAlgorithm.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/EncryptionAlgorithm.cs
@@ -37,12 +37,26 @@ public EncryptionAlgorithm(string value)
         }
 
         /// <summary>
+        /// <para>
+        /// <b>[Not recommended]</b>
         /// Gets an RSA1_5 <see cref="EncryptionAlgorithm"/>.
+        /// </para><para>
+        /// Microsoft recommends using <see cref="EncryptionAlgorithm.RsaOaep256"/> or stronger algorithms for enhanced security.
+        /// Microsoft does <b>not</b> recommend <see cref="EncryptionAlgorithm.Rsa15"/>, which is included solely for backwards compatibility.
+        /// Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption.
+        /// </para>
         /// </summary>
         public static EncryptionAlgorithm Rsa15 { get; } = new EncryptionAlgorithm(Rsa15Value);
 
         /// <summary>
+        /// <para>
+        /// <b>[Not recommended]</b>
         /// Gets an RSA-OAEP <see cref="EncryptionAlgorithm"/>.
+        /// </para><para>
+        /// Microsoft recommends using <see cref="EncryptionAlgorithm.RsaOaep256"/> or stronger algorithms for enhanced security.
+        /// Microsoft does <b>not</b> recommend <see cref="EncryptionAlgorithm.RsaOaep"/>, which is included solely for backwards compatibility.
+        /// <see cref="EncryptionAlgorithm.RsaOaep"/> utilizes SHA1, which has known collision problems.
+        /// </para>
         /// </summary>
         public static EncryptionAlgorithm RsaOaep { get; } = new EncryptionAlgorithm(RsaOaepValue);
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecrypt.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecrypt.cs
index dc684aca1b9e..0ef2ab19bd6d 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecrypt.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecrypt.cs
@@ -44,12 +44,12 @@ public void EncryptDecryptSync()
 
             #region Snippet:KeysSample4EncryptKey
             byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
-            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
+            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext);
             Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm}, with key {encryptResult.KeyId}. The resulting encrypted data is {Convert.ToBase64String(encryptResult.Ciphertext)}");
             #endregion
 
             #region Snippet:KeysSample4DecryptKey
-            DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+            DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
             Debug.WriteLine($"Decrypted data using the algorithm {decryptResult.Algorithm}, with key {decryptResult.KeyId}. The resulting decrypted data is {Encoding.UTF8.GetString(decryptResult.Plaintext)}");
             #endregion
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecryptAsync.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecryptAsync.cs
index c7375651846a..67eea7563774 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecryptAsync.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecryptAsync.cs
@@ -47,11 +47,11 @@ public async Task EncryptDecryptAsync()
             byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
 
             // First encrypt the data using RSAOAEP with the created key.
-            EncryptResult encryptResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep, plaintext);
+            EncryptResult encryptResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep256, plaintext);
             Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm}, with key {encryptResult.KeyId}. The resulting encrypted data is {Convert.ToBase64String(encryptResult.Ciphertext)}");
 
             // Now decrypt the encrypted data. Note that the same algorithm must always be used for both encrypt and decrypt
-            DecryptResult decryptResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+            DecryptResult decryptResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
             Debug.WriteLine($"Decrypted data using the algorithm {decryptResult.Algorithm}, with key {decryptResult.KeyId}. The resulting decrypted data is {Encoding.UTF8.GetString(decryptResult.Plaintext)}");
 
             // The Cloud RSA Key is no longer needed, need to delete it from the Key Vault.
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/SampleSnippets.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/SampleSnippets.cs
index 6b909d129a91..badba8c3ccff 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/SampleSnippets.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/SampleSnippets.cs
@@ -187,10 +187,10 @@ public void EncryptDecrypt()
             byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
 
             // encrypt the data using the algorithm RSAOAEP
-            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
+            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext);
 
             // decrypt the encrypted data.
-            DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+            DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
             #endregion
         }